{"id":548,"date":"2012-07-10T10:55:05","date_gmt":"2012-07-10T02:55:05","guid":{"rendered":"http:\/\/rmohan.com\/?p=548"},"modified":"2012-07-10T10:56:57","modified_gmt":"2012-07-10T02:56:57","slug":"send-email-on-root-login","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=548","title":{"rendered":"Send Email on Root Login"},"content":{"rendered":"<h2>Send Email on Root Login<\/h2>\n<div>\n<p>Since root should not have direct log in access via SSH and we have set up our user to use <a href=\"http:\/\/www.syntaxtechnology.com\/?p=31\">sudo<\/a>, <strong>root<\/strong> should get logged into very rarely. In an effort to alert the System Administrator when someone logs into <strong>root<\/strong>, I have set up my system to send out an email on root log in.<\/p>\n<ul>\n<li>Log in as root\n<div>\n<div id=\"highlighter_426508\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>\n<div><code>su -<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n<li>Change to the root user\u2019s home directory\n<div>\n<div id=\"highlighter_330943\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>\n<div><code>cd ~<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<ul>\n<li>Edit the root user\u2019s .bashrc file (in this example I use nano, but using vi, emacs, pico, etc. is fine)\n<div>\n<div id=\"highlighter_230055\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>\n<div><code>nano .bashrc<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<ul>\n<li>Add the following block of code to the end of <strong>.bashrc<\/strong>. This will send an email to example@example.com (change as appropriate)\n<div>\n<div id=\"highlighter_407425\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>\n<div><code>echo 'ALERT - Root Shell Access () on:' `date` `who` | mail -s \"Alert: Root Access from `who | cut -d\"(\" -f2 | cut -d\")\" -f1`\" example@example.com<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<ul>\n<li>When <strong>root<\/strong>logs in you will receive a message similar to this\n<div>\n<div id=\"highlighter_261353\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>\n<div><code>ALERT - Root Shell Access () on: Tue Jun 16 11:04:10 CDT 2009 user123 pts\/0 2009-06-16 11:04<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<p>Word of warning: Send this to an email account that is not hosted on the same machine. If someone can log into root, they can see mail spools on the entire server. It would be a trivial matter to delete this message from the spool so the real System Administrator never sees this message.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Send Email on Root Login <\/p>\n<p>Since root should not have direct log in access via SSH and we have set up our user to use sudo, root should get logged into very rarely. In an effort to alert the System Administrator when someone logs into root, I have set up my system to send out [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/548"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=548"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/548\/revisions"}],"predecessor-version":[{"id":550,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/548\/revisions\/550"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}